Please enable JavaScript.
Coggle requires JavaScript to display documents.
Modulo 19: Implement site-to-site IPsec VPNs - Coggle Diagram
Modulo 19: Implement site-to-site IPsec VPNs
19.1 Configure a Site-to-Site IPsec VPN
19.1.1 IPsec Negotiation
Step 1
An Internet Security Association Key Management Protocol (ISAKMP) tunnel is initiated when host A sends “interesting” traffic to host B. Traffic is considered interesting when it travels between the peers and meets the criteria that are defined in an ACL.
Step 2
IKE Phase 1 begins. The peers negotiate the ISAKMP SA policy. When the peers agree on the policy and are authenticated, a secure tunnel is created.
Step 3
IKE Phase 2 begins. The IPsec peers use the authenticated secure tunnel to negotiate the IPsec SA policy. The negotiation of the shared policy determines how the IPsec tunnel is established.
Step 4
The IPsec tunnel is created, and data is transferred between the IPsec peers based on the IPsec SAs.
Step 5
The IPsec tunnel terminates when the IPsec SAs are manually deleted, or when their lifetime expires.
19.1.2 Site-to-Site IPsec VPN Topology
Implementing a site-to-site VPN requires configuring settings for both IKE Phase 1 and Phase 2. In the phase 1 configuration, the two sites are configured with the necessary ISAKMP security associations to ensure that an ISAKMP tunnel can be created.
19.1.3 IPsec VPN Configuration Tasks
All XYZCORP VPNs should be implemented using the following security policy:
Encrypt traffic with AES 256 and SHA.
Authenticate with PSK.
Exchange keys with DH group 14.
ISAKMP tunnel lifetime is 1 hour.
IPsec tunnel uses ESP with a 15-minute lifetime.
Configuration Tasks:
The configuration tasks required to meet this policy are:
Task 1: Configure the ISAKMP Policy for IKE Phase 1
Task 2: Configure the IPsec Policy for IPsec Phase 2
Task 3: Configure a Crypto Map for the IPsec Policy
Task 4: Apply the IPsec Policy
Task 5: Verify that the IPsec Tunnel is Operational
19.1.4 Existing ACL Configurations
Although XYZCORP does not have an existing ACL configuration, this would not be the case in a production network.
19.1.5 Handling Broadcast and Multicast Traffic
The XYZCORP topology uses static routing, so there is no multicast or broadcast traffic that needs to be routed through the tunnel.
19.2 ISAKMP Policy
19.2.1 The Default ISAKMP Policies
The first task is to configure the ISAKMP policy for IKE Phase 1. The ISAKMP policy lists the SAs that the router is willing to use to establish the IKE Phase 1 tunnel.
19.2.2 Syntax to Configure a New ISAKMP Policy
When in ISAKMP policy configuration mode, the SAs for the IKE Phase 1 tunnel can be configured. Use the mnemonic HAGLE to remember the five SAs to configure:
Hash
Authentication
Group
Lifetime
Encryption
19.2.3 ISAKMP Policy Configuration
To meet the security policy requirements for XYZCORP, configure the ISAKMP policy with the following SAs:
Hash is SHA
Authentication is pre-shared key
Group is 14
Lifetime is 3600 seconds
Encryption is AES
19.2.4 Pre-Shared Key Configuration
The XYZCORP security policy requires that a pre-shared key be used for authentication between the peers. The administrator can either specify a host name or an IP address for the peer. The command syntax is shown below.
19.3 IPsec Policy
19.3.1 Define Interesting Traffic
Although the ISAKMP policy for the IKE Phase 1 tunnel is configured, the tunnel does not yet exist.
19.3.2 Configure IPsec Transform Set
The next step is to configure the set of encryption and hashing algorithms that will be used to transform the data sent through the IPsec tunnel.
19.4 Crypto Map
19.4.1 Syntax to Configure a Crypto Map
Now that the interesting traffic is defined, and an IPsec transform set is configured, it is time to bind those configurations with the rest of the IPsec policy in a crypto map
19.4.2 Crypto Map Configuration
To finish the configuration to meet the IPsec security policy for XYZCORP, complete the following:
Step 1. Bind the ACL and the transform set to the map.
Step 2. Specify the peer’s IP address.
Step 3. Configure the DH group.
Step 4. Configure the IPsec tunnel lifetime.
19.4.3 Apply and Verify the Crypto Map
To apply the crypto map, enter interface configuration mode for the outbound interface and configure the crypto map map-name command. Below is the configuration for XYZCORP.
19.5 IPsec VPN
19.5.1 Send Interesting Traffic
Now that both the ISAKMP and IPsec policies are configured, and the crypto map is applied to the appropriate outbound interfaces, test the two tunnels by sending interesting traffic across the link.
19.5.2 Verify the ISAKMP and IPsec Tunnels
Sending interesting traffic does not actually mean that the tunnels are established. R1 and R2 will route traffic between the two LANs even if the ISAKMP and IPsec policy configurations are wrong.
